A working group under Quadrilateral Security Dialogue (Quad) has identified gaps in the security specification for open radio access network (RAN). The ‘Open RAN Security Report’ by Quad Critical and Emerging Technology Working Group said that it is unclear the way O-RAN Alliance has selected security guidelines and best practices related to open RAN security.
As per the report, parts of the open RAN security specification appear to be incomplete. For example, security requirements do not cover all security principles, specified security controls do not cover all security requirements, and security controls do not cover all components or interfaces. It added that It is often unclear how guidance has been determined or how it relates to other parts of the security specification. For example, no details on how security principles have been derived and how the security controls address security threats.
The working group referred to a set of reports which stated that open RAN may increase security risks, especially those associated with disaggregation and openness of the system. A study by the French Institute of International Relations (IFRI) said in its report that the disaggregation of RAN functionalities may result in lower-quality performance due to components provided by multiple suppliers. The IFRI study said that because not all suppliers are trusted, the performance of the components compared to proprietary solutions and their inherent security vulnerabilities remain in question.
The Quad working group said that a large number of best practices shows that relevant guidance does exist but they just are not yet in a consolidated form. In its report, the group stated that additional efforts from industry groups will be required to support open RAN stakeholders to identify and adopt relevant security best practices. This applies in particular to mobile network operators, as the absence of a single RAN vendor requires them to take on new security responsibilities in the open RAN life cycle.
